Cybersecurity: Battling the Bruce Hornsby Effect

Last week I was applying my “finishing touches” on a cybersecurity presentation: one last look at Twitter, glance at a feed aggregator & skim the day’s headlines. Between breaking news on the Sony Pictures hack, progress on class action suits over the Home Depot compromise, and some continuing local coverage (in the Twin Cities) of the Target breach, there were plenty of updates. I even worked in a Dennis Rodman slide. This Sony thing is sort of his fault, after all (I kid.) Regardless of the audience or the technical subject matter there’s always something in current events that updates the content on threat vectors, victim trends, cyber liability, regulatory landscape, etc. Every time, with every presentation, some “breach du jour” or something related leads to an update in my deck. It’s a steady diet of ubiquitous bad cybersecurity news that somehow hasn’t already led to effective steps to stem the tide of compromises. I find that surprising – but should I?

A few days ago I was trying to wrap my head around the notion of “breach fatigue” vis-à-vis the average American. I’m not just concerned with it affecting my neighbors next door, but also the fellow security geeks working in offices down the hall. Case in point: When news of Target broke, I was certain it was going to be the tipping point that would lead us down a path to change on a large scale (Spoiler alert: sometimes I’m wrong about stuff.) That was my conclusion, one I’ve aired more than a handful of times, and in the year-plus since it happened, a non-trivial number of colleagues have let me know they disagree. Some common sentiments from those doubting Thomases:

– “Breach fatigue – there are just so many headlines that people start to tune it out.”
– “As long as it’s not costing the [consumers/company/shareholders] money, they don’t care.”
– “Sure, another breach, but nothing ever changes.”

In order, what about breach fatigue? Are peers and colleagues really telling me, with a straight face, “There’s so much hacking that we have to ignore it?” I stated last week I believe the root cause is that incident information is so inadequate and alternative options so scarce, it creates a “Bruce Hornsby Effect” (“That’s just the way it is, some things will never change”) in the average breach victim. That may explain why there’s not an overwhelming groundswell of victims calling for substantive security changes, but what’s IT Operations’ excuse? You’d sprain your brain trying to derive a clearer “canary in the coalmine” example of cyber threat trend analysis (or “Let’s say this Twinkie represents the normal amount of nefarious cyber activity…”)

Next comes the notion that breaches aren’t hitting pocketbooks and bottom lines. I wrote last week about the difficulties the average consumer faces in calculating the costs of a breach. But what about the hacked organizations themselves and their shareholders? As a security guy, I know there are many ongoing efforts to track and quantify the cost of a breach – probably the most notable being the Ponemon Institute’s Annual Cost of a Data Breach Study (which places the 2014 average cost at $201 per record lost.) Similarly, you can find staggering estimates around recent high profile breaches: Home Depot warns that costs will surpass its initial $70M report, Sony’s two breaches account for over a quarter billion in losses over three years, and one Target estimate eclipses $1B. But then you may notice something interesting, for companies reportedly hemorrhaging money post-incident, none of their stocks appear to be in an all-out freefall. They trend down in short term response to the attacks, but all seem to mount comebacks that make you wonder if The Street really thinks these attacks are taking a toll.[i] You would think loss figures with that many commas in them would constitute “bet your business” or existential threats, even for organizations of this size. But who’s really bearing the cost of the breach? We’re seeing that payment card breaches drop the heaviest costs on issuing banks and many of the targeted retailers are drawing on cyber insurance policies to cover some, if not all, of the losses. It becomes another area where net effects and actual costs of an incident are hard to pinpoint. While that abstraction has made it hard to tally losses and pinpoint accountability, at least the banks have come to the conclusion that they shouldn’t be bearing the full brunt of these breaches and they’re litigating. As of this writing, Target is facing over 100 breach related lawsuits and Home Depot nearly 50. Both companies have recently suffered preliminary rulings allowing cases against them to proceed. It seems the previously murky gulf between an incident and who owns the financial fallout of that incident may be getting some clarity soon.[ii]

“Sure, another breach, but nothing ever changes.” I find it disturbing that this particular symptom of the Bruce Hornsby Effect predominantly occurs in security professionals. Maybe you’re fighting a lot of organizational inertia and have poor, abstract metrics at your disposal, but there is a flashing neon business case for revisiting and reevaluating security posture, standards and readiness here. We could continue diving into the reasons things haven’t changed, or we can ask the much more important follow up question: Is this course sustainable? That surprise I feel every time I scan the headlines prepping for another presentation is disbelief that we haven’t already had our hand forced by some compelling event.

So what will it take to see real change?

Litigation – Litigating a breach is not a new approach. But from talking to attorney colleagues about their current case load, it seems this round of litigation involves a lot more thought about what a negligence standard and duty of care for data stewards might look like. The technical understanding of the courts has matured from previous waves of cases as well. And even factoring in inertia and breach fatigue, when the “class” in a class action suit numbers in the hundreds of millions, awards are likely to scale to levels that cause even the biggest industry players and sectors to wince. A successful suit that helps define security and negligence standards would likely bring substantive security improvements forward.

Underwriting – In addition to banks, insurers are shouldering a large portion of the burden from this last wave of high profile breaches. I’ve reviewed examples of underwriting qualifications and policy exclusions based on specific security capabilities. One policy I’ve seen specifically states that unencrypted PII is out of scope for cyber liability coverage (Here’s an example of a similar exclusion related to portable devices/removable media.) A broad-based industry initiative or underwriting shift by major insurers to require specific security controls (encryption, SIEM tools, segregation of duties, etc.) or compliance with a strategic security framework as a basis for coverage would also force substantive improvements to security postures at large.

Catastrophe – These are severely damaging events that carry tremendous impact. Some catastrophes may involve events we’ve caught bite-size glimpses of and perhaps even prepared for on a smaller scale: natural disasters (Hurricane Katrina), cyber warfare (Georgia, Ukraine), sabotage (Stuxnet), and general concerns about terrorist or nation-state attacks on critical infrastructure (power, water, transportation) and targeted systems disruption (financial market collapse.) But it would take an event of unprecedented magnitude to produce wholesale change in our approach to security and readiness. There are plenty of nightmare scenarios you can paste into this space, and numerous indicators that we are trending toward such an event. For our purposes though, my contention is that it would take a scenario with measurably greater impact than what we’ve seen to date to in order to induce real change (To wit, nearly a decade after Hurricane Katrina, how many organizations still have their disaster recovery site in the same general geographic region as their production data center?) It’s entirely plausible (I’d argue predictable) to imagine that in the wake of a truly massive, crippling cyber event, many critical sectors of U.S. infrastructure would engage in a massive correction (and likely overcorrection) in security practices and standards as they did with physical security protocols following the September 11th attacks.[iii]

The previous section once read, “What would it take to see real change?” “Would” now reads “will” as I feel all three subsequent scenarios are extremely likely, if not forgone conclusions. Litigation and underwriting will continue to evolve in ways that redistribute the financial fallout of breaches and place the onus of protection back with IT as it carves out more appropriate and prescriptive security terms. While that iterative and reactive process takes place, the baddies will continue to outpace security improvements and drive us ever closer to a tipping point cyber event. The smart money is on proactively preparing for these eventualities and getting ahead of the threats and risks, right? It’s common sense, it’s intuitive, and traditionally it just doesn’t happen because of things like inertia, fatigue, and Bruce Hornsby.

But stick to your guns, folks because “that’s just the way it is…ah, but don’t you believe them.”

[i] Time will tell with Sony.

[ii] There’s probably an entire series of discussions on cyber liability that could fork off of this thread. For the purposes of this discussion though, the most important development is that between issuing banks, breached companies, shareholders, insurers, and affected individuals, actions are proceeding to correct what some of these players perceive to be an unfair or imbalanced distribution of the costs associated with a breach.

[iii] While I’m advocating for change and improvement to security practices, I’m concerned that undertaking those changes as part of a hasty, irrational, knee-jerk response to a cyber event might actually exacerbate problems. The preferred approach is to develop an approach under normal operating circumstances, before such a catastrophe occurs, with an eye toward minimizing the impact of such an event and getting the organization back to normal business operations.